Free Newsletters for the Channel
Register for Your Free Newsletter Now
The impact of log4j is no longer limited to exposed vulnerable servers.
December 17, 2021
An alternative local attack vector has been discovered for the log4j vulnerability, which already is wreaking havoc in the tech industry.
Last week, researchers discovered a zero-day exploit in the popular Java logging library log4j. It results in RCE by logging a certain string.
Previously, it appeared the impact of log4j was limited to exposed vulnerable servers, Blumira said. This newly-discovered attack vector means attackers can exploit anyone with a vulnerable log4j version.
WebSocket connections within the host can be difficult to gain deep visibility into, increasing the complexity of detection for this attack. At this point, there is no proof of active exploitation.
The log4j vulnerability, dubbed Log4Shell, already provides a relatively easy exploit path for threat actors. This new attack vector expands the attack surface for log4j even further.
Matthew Warner is Blumira’s CTO and co-founder.
“When the log4j vulnerability was released, it became quickly apparent that it had the potential to become a larger problem,” he said. “This attack vector opens up a variety of potential malicious use cases, from malvertising to creating watering holes for drive-by attacks. Bringing this information to light ensures that organizations have the opportunity to act quickly and protect themselves against malicious threat actors.”
BreachQuest’s Jake Williams
Jake Williams is co-founder and CTO of BreachQuest.
“This represents one of the first REC exploits being relayed by WebSockets,” he said. “This shouldn’t change anyone’s position on vulnerability management though. Organizations should be pushing to patch quickly and mitigate by preventing outbound connections from potentially vulnerable services where patching is not an option.”
StrikeReady’s Anurag Gurtu
The Khonsari ransomware gang is currently exploiting the Log4Shell vulnerability, said Anurag Gurtu, StrikeReady‘s chief product officer.
After execution, the malware enumerates all mounted drives (other than C:/) and targets user directories. Those include documents, videos, downloads and desktop. The attacker uses an AES 128 CBC algorithm for encryption.
The Log4Shell vulnerability isn’t slowing down, Gurtu said.
“In the second and third stages, threat actors are aggressively deploying malware families,” he said. “Among them are Kinsing, XMR and Mirai. Additionally, some coin-miners and CobaltStrike beacons have been observed in the wild.”
Researchers have observed nearly 2,000 malicious indicators of compromise (IOCs) so far, Gurtu said. That requires immediate attention.
You May Also Like
Channel People on the Move: AT&T, C1, Mitel, TD Synnex, MoreMar 1, 2024
Viirtue, MSP Partners Seek Larger Piece of IT PieFeb 29, 2024
New Cisco OT Route to Market Opens New Partner SetFeb 29, 2024
Broadcom-VMware Saga Update: Nutanix Wins, Carbon Black Sale, Hock Tan PayFeb 29, 2024